Secure coding - Revision history

Liz: Removing link(s) to "Secure by default": Removing links to deleted page Secure by default.

2024-09-01T17:30:20Z

Removing link(s) to "Secure by default": Removing links to deleted page Secure by default.

← Previous revision		Revision as of 17:30, 1 September 2024
Line 82:		Line 82:
	* [[Defensive programming]]		* [[Defensive programming]]
	* [[Security bug]]		* [[Security bug]]
	* [[Secure by default]]		* Secure by default

	== Notes ==		== Notes ==

84.140.207.90: /* Buffer-overflow prevention */ typo

2024-06-19T00:26:56Z

Buffer-overflow prevention: typo

← Previous revision		Revision as of 00:26, 19 June 2024
Line 24:		Line 24:
	// copy a maximum of BUF_SIZE bytes		// copy a maximum of BUF_SIZE bytes
	strncpy(dst, user_input, BUF_SIZE);		strncpy(dst, user_input, BUF_SIZE);
	// set the last character in the buffer to NUL,		// set the last character in the buffer to NUL.
	dst[BUF_SIZE -1] = '\0';		dst[BUF_SIZE -1] = '\0';
	}		}

84.140.207.90: /* Buffer-overflow prevention */ terminate last character with NUL

2024-06-19T00:25:51Z

Buffer-overflow prevention: terminate last character with NUL

← Previous revision		Revision as of 00:25, 19 June 2024
Line 24:		Line 24:
	// copy a maximum of BUF_SIZE bytes		// copy a maximum of BUF_SIZE bytes
	strncpy(dst, user_input, BUF_SIZE);		strncpy(dst, user_input, BUF_SIZE);
			// set the last character in the buffer to NUL,
			dst[BUF_SIZE -1] = '\0';
	}		}
	</syntaxhighlight>Another secure alternative is to dynamically allocate memory on the heap using [[malloc]].<syntaxhighlight lang="c++">		</syntaxhighlight>Another secure alternative is to dynamically allocate memory on the heap using [[malloc]].<syntaxhighlight lang="c++">

Wiki.0905: Added hyperlink

2023-12-08T18:55:35Z

Added hyperlink

← Previous revision		Revision as of 18:55, 8 December 2023
Line 7:		Line 7:
	'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>		'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>

	Some scholars have suggested that in order to effectively confront threats related to cybersecurity, proper security should be coded or “baked in” to the systems. With security being designed into the software, this ensures that there will be protection against insider attacks and reduces the threat to application security.<ref>{{Cite journal \|last=Russell L \|first=Jones \|date=Dec 2004 \|title=Secure Coding: Building Security into the Software Development Life Cycle \|url=https://www.proquest.com/docview/229507883 \|journal=Information Systems Security\|id={{ProQuest\|229507883}} }}</ref>		Some scholars have suggested that in order to effectively confront threats related to [[Computer security\|cybersecurity]], proper security should be coded or “baked in” to the systems. With security being designed into the software, this ensures that there will be protection against insider attacks and reduces the threat to application security.<ref>{{Cite journal \|last=Russell L \|first=Jones \|date=Dec 2004 \|title=Secure Coding: Building Security into the Software Development Life Cycle \|url=https://www.proquest.com/docview/229507883 \|journal=Information Systems Security\|id={{ProQuest\|229507883}} }}</ref>

	== Buffer-overflow prevention ==		== Buffer-overflow prevention ==

Sohom Datta: Moved the information security down with navboxes, since it was converted to a navbox

2023-11-01T15:02:11Z

Moved the information security down with navboxes, since it was converted to a navbox

← Previous revision		Revision as of 15:02, 1 November 2023
Line 4:		Line 4:
	{{More footnotes\|date=September 2010}}		{{More footnotes\|date=September 2010}}
	}}		}}

⚫	{{Computer security}}

	'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>		'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>
Line 90:		Line 88:
	* {{Cite book\| last = Taylor \| first = Art \|author2=Brian Buege \|author3=Randy Layman \| title = Hacking Exposed J2EE & Java \| year = 2006 \| publisher = McGraw-Hill Primis \| pages = 426 \| isbn = 0-390-59975-1 }}		* {{Cite book\| last = Taylor \| first = Art \|author2=Brian Buege \|author3=Randy Layman \| title = Hacking Exposed J2EE & Java \| year = 2006 \| publisher = McGraw-Hill Primis \| pages = 426 \| isbn = 0-390-59975-1 }}

		⚫	{{Computer security}}
	{{DEFAULTSORT:Secure Coding}}		{{DEFAULTSORT:Secure Coding}}
	[[Category:Computer security]]		[[Category:Computer security]]

Citation bot: Alter: url. URLs might have been anonymized. Add: id. | Use this bot. Report bugs. | #UCB_CommandLine

2023-10-30T21:12:44Z

Alter: url. URLs might have been anonymized. Add: id. | Use this bot. Report bugs. | #UCB_CommandLine

← Previous revision		Revision as of 21:12, 30 October 2023
Line 9:		Line 9:
	'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>		'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>

	Some scholars have suggested that in order to effectively confront threats related to cybersecurity, proper security should be coded or “baked in” to the systems. With security being designed into the software, this ensures that there will be protection against insider attacks and reduces the threat to application security.<ref>{{Cite journal \|last=Russell L \|first=Jones \|date=Dec 2004 \|title=Secure Coding: Building Security into the Software Development Life Cycle \|url=https://www.proquest.com/docview/229507883~~/abstract/E89CDDD675AD445APQ/1?accountid=13802~~ \|journal=Information Systems Security}}</ref>		Some scholars have suggested that in order to effectively confront threats related to cybersecurity, proper security should be coded or “baked in” to the systems. With security being designed into the software, this ensures that there will be protection against insider attacks and reduces the threat to application security.<ref>{{Cite journal \|last=Russell L \|first=Jones \|date=Dec 2004 \|title=Secure Coding: Building Security into the Software Development Life Cycle \|url=https://www.proquest.com/docview/229507883 \|journal=Information Systems Security\|id={{ProQuest\|229507883}} }}</ref>

	== Buffer-overflow prevention ==		== Buffer-overflow prevention ==

Claudiajoyce: /* See also */ Added bullet points and hyperlink

2023-10-06T20:53:53Z

See also: Added bullet points and hyperlink

← Previous revision		Revision as of 20:53, 6 October 2023
Line 79:		Line 79:

	== See also ==		== See also ==
			* [[Application security\|Application Security]]
	* [[Defensive programming]]		* [[Defensive programming]]
	* [[Security bug]]		* [[Security bug]]
			* [[Secure by default]]

	== Notes ==		== Notes ==

Claudiajoyce: Added paragraph to Overview

2023-10-06T20:52:35Z

Added paragraph to Overview

← Previous revision		Revision as of 20:52, 6 October 2023
Line 8:		Line 8:

	'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>		'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>

			Some scholars have suggested that in order to effectively confront threats related to cybersecurity, proper security should be coded or “baked in” to the systems. With security being designed into the software, this ensures that there will be protection against insider attacks and reduces the threat to application security.<ref>{{Cite journal \|last=Russell L \|first=Jones \|date=Dec 2004 \|title=Secure Coding: Building Security into the Software Development Life Cycle \|url=https://www.proquest.com/docview/229507883/abstract/E89CDDD675AD445APQ/1?accountid=13802 \|journal=Information Systems Security}}</ref>

	== Buffer-overflow prevention ==		== Buffer-overflow prevention ==

Citation bot: Alter: title, template type. Add: chapter-url, chapter. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox3 | #UCB_webform_linked 1819/2306

2023-08-08T22:18:44Z

Alter: title, template type. Add: chapter-url, chapter. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox3 | #UCB_webform_linked 1819/2306

← Previous revision		Revision as of 22:18, 8 August 2023
Line 7:		Line 7:
	{{Computer security}}		{{Computer security}}

	'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite ~~journal~~\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|~~date~~=~~2006-09-22~~\|~~title~~=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum\|url=https://doi.org/10.1145/1231047.1231053~~\|journal=Proceedings of the 3rd Annual Conference on Information Security Curriculum Development~~\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>		'''Secure coding''' is the practice of developing computer [[software]] in such a way that guards against the accidental introduction of [[security vulnerabilities]]. Defects, [[Software bug\|bugs]] and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.<ref>{{Cite book\|last1=Taylor\|first1=Blair\|last2=Azadegan\|first2=Shiva\|title=Proceedings of the 3rd annual conference on Information security curriculum development \|chapter=Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum \|date=2006-09-22\|chapter-url=https://doi.org/10.1145/1231047.1231053\|series=InfoSecCD '06\|location=Kennesaw, Georgia\|publisher=Association for Computing Machinery\|pages=24–29\|doi=10.1145/1231047.1231053\|isbn=978-1-59593-437-6\|s2cid=2452783}}</ref>

	== Buffer-overflow prevention ==		== Buffer-overflow prevention ==

HeyElliott: /* Format-string attack prevention */ MOS:CQ

2023-06-04T05:29:53Z

Format-string attack prevention: MOS:CQ

← Previous revision		Revision as of 05:29, 4 June 2023
Line 45:		Line 45:
	printf(malicious_input);		printf(malicious_input);
	}		}
	</syntaxhighlight>A malicious argument passed to the program could be “%s%s%s%s%s%s%s”, which can crash the program from improper memory reads.		</syntaxhighlight>A malicious argument passed to the program could be "%s%s%s%s%s%s%s", which can crash the program from improper memory reads.

	== Integer-overflow prevention ==		== Integer-overflow prevention ==